Global Information Assurance Certification Paper

Page created by April Cook
 
CONTINUE READING
Global Information Assurance Certification Paper

                           Copyright SANS Institute
                           Author Retains Full Rights
  This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.

Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsec
Eric Hansen
                                                                                        GSEC_Practical_version 1.2F

                         Internal SLA (Service Level Agreements) for Information Security

           Overview
           Information security typically suffers due to a lack of serious commitment by an organization on
           the prevention side of security breaches. Many systems are compromised even after patches or

                                                                                                s.
           hotfixes have been publicized. The premise of this must be to understand the relationship

                                                                                             ht
           between the information technology (IT) team and the information security (IS) team. The

                                                                                         rig
           information security team must view themselves as customers of the information technology
           team. The IS teams must also see that their activities are common elements within the IT teams

                                                                                     ull
           service to the enterprise. IS’ three legged stool of Confidentiality, Integrity and Availability

                                                                                   f
           certainly coincides with IT’s Total Cost of Ownership (TCO) and Quality of Service (QoS)

                                                                               ins
           initiatives.
                Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

                                                                           eta
           Reactive versus Proactive

                                                                        rr
           The purpose of this paper is to advocate for the establishment of internal SLAs between the
           Information Technology team and the Information Security team. Internal SLAs should be

                                                                     ho
           established for the following reasons:
                                                                A ut
           Security prevention becomes institutionalized within the organization.
           Information security remains a relatively immature discipline within most organizations.
                                                             5,

           Incorporating IS into business processes that other departments or teams engage in is always
                                                          00

           beneficial. The advantage to the SLA approach is that emphasis is placed on substantive analysis
                                                      -2

           of deficiencies so servers, workstations, desktops, and laptops are configured securely prior to
           deployment into the field.
                                                   00
                                               20

           Staff can be evaluated on their security skill set.
           To aid the CIO in fully developing her staff, this process instigates a more complete evaluation of
                                            te

           the staff to see if they can fully support the details of the SLA.
                                          tu
                                       sti

           Training can be planned to enhance security skills.
           This may be considered as a sub-component of the item above, however, it has a somewhat
                                    In

           different angle because it puts the emphasis back on the IS team. For example, the IS team needs
                               NS

           to determine if in-house or external training is needed or better clarification on policy or
           procedural issues.
                           SA

           Processes are established for resolving security deficiencies on a regular basis.
                        ©

           The IT organization “fights fires” all the time and unless there is a formal process designated,
           implementing mundane patches prior to a contingency may be pushed to the bottom of the
           queue.

           Allocation  of staff time
               Key fingerprint       can FA27
                                 = AF19  better2F94
                                                 be assigned.
                                                      998D FDB5 DE3D F8B5 06E4 A169 4E46
           While the IS SLAs will not cover every security related service, clear, documented expectations
           allow IT managers to better plan their resources. This may be an example of incorporating the
           security resolution into a trouble ticket for a particular server.

                                           Eric_Hansen_GSEC_Practical
© SANS Institute 2000 - 2005                                                                      Author retains1full rights.
Eric Hansen
                                                                                        GSEC_Practical_version 1.2F

           Allocation of fiscal resources for the amount of security the organization determines it needs.
           This process presents a clearer, though not complete, picture of the commitment needed by the
           organization to fulfill its stated IS obligations.

           What are SLAs?

                                                                                                s.
           Service Level Agreements (SLAs) may come in a variety of forms. These can range from internal

                                                                                             ht
           agreements between departments or vendor to client agreements. Service Level Agreements for

                                                                                         rig
           internal entities are also referred to as Service Level Requirements (SLRs). For this paper, SLA
           and SLR will maintain similar meanings and will be referenced by SLA. The SLA is an

                                                                                     ull
           agreement between a perceived service provider and a perceived customer. The flavor of the

                                                                                    f
           agreement depends entirely on the parties involved. SLAs address the following fundamental

                                                                                ins
           questions: what is delivered; where is it delivered; when is it delivered?
               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

                                                                            eta
           In this type of arrangement, the IS team decides what it believes are the most important elements

                                                                        rr
           of the program to monitor. If a risk analysis was conducted, the results or recommendations
           from these reports should be used. A properly deployed defense-in-depth strategy will aid in the

                                                                     ho
           IS team’s decision on the SLAs to negotiate. The key is to assure the IT teams that the IS

                                                                  ut
           program knows exactly what it wants and how it can be fairly measured. Each organization will
           have different threat vectors and will need to allocate resources in different manners.
                                                                A
                                                             5,

           There are some additional guidelines on the governance of SLAs. They should be reviewed
                                                          00

           regularly and changed as needed. These agreements must also be somewhat flexible for both
                                                       -2

           parties without interfering with the integrity of the process. There must be some consideration
           for dependencies when implementing system related SLAs. One example may include a
                                                   00

           maintenance contract which requires vendor notification or assistance prior to any changes made
                                                20

           on a particular server or application. Finally, while having SLAs begins the codifying process, it
           will require on-going management from the IS and IT teams.
                                            te
                                          tu

           Critical Areas for SLAs
                                       sti

           The information security (IS) team must define the critical areas for the establishment of SLAs
           with the Information Technology team. This must focus upon those areas which the IT teams
                                    In

           have the most profound effect and control to significantly impact the IS program. Additionally,
                               NS

           the IS team needs to limit SLAs to the most critical items, otherwise the effect of these
           agreements is lessened. A risk analysis or a review of previous incidents may point toward the
                           SA

           most critical components for a particular organization. The following topical areas should be
           prevalent in most instances:
                        ©

           Network Scanning
           Many IS teams conduct scans to identify vulnerabilities on the network. Identifying the problems
           is merely the first part of the process. The next step is to determine how the problem should be
           resolved. The third =
               Key fingerprint  step is how
                                  AF19   FA27can2F94
                                                 it be998D
                                                       incorporated into a F8B5
                                                            FDB5 DE3D      process so that
                                                                                06E4   A169it should
                                                                                               4E46 not arise in
           the future. Many organizations use commercial tools to automate the network scanning process.
           If ISS Internet Scanner is being used, this product will document vulnerabilities grouped into
           categories of High Risk, Medium Risk and Low Risk. The Help Index within the ISS Internet
           Scanner defines risk levels in the following manner.

                                           Eric_Hansen_GSEC_Practical
© SANS Institute 2000 - 2005                                                                      Author retains2full rights.
Eric Hansen
                                                                                      GSEC_Practical_version 1.2F

                   High
                   Any vulnerability that allows an attacker to gain immediate access into a
                   machine, to gain superuser access, or to bypass a firewall. Examples include: A

                                                                                              s.
                   vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands

                                                                                           ht
                   on mail servers, installation of BackOrifice, NetBus or an Admin account

                                                                                       rig
                   without a password.

                                                                                   ull
                  Medium

                                                                                 f
                  References any vulnerability that provides information, degrades performance,

                                                                             ins
                  or a has a high potential of giving system access to an intruder. Examples
               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
                  include: identification of an active modem on the network, zone transfers,

                                                                          eta
                  writeable FTP directories.

                                                                      rr
                   Low

                                                                   ho
                   References any vulnerability that provides information that could potentially

                                                                ut
                   lead to a compromise. Examples include: Floppy drive is available to all users,
                   IE may perform insufficient SSL validation, logon and logoff auditing is not
                                                              A
                   enabled.
                                                           5,
                                                        00

           A value-add to the ISS tool is that it will provide recommendations and instructions on how to fix
                                                     -2

           the vulnerability. In the report, the IT teams may see:
                                                 00

           -       Configuration changes
                                              20

           -       Installation of service packs
           -       Installation of patches
                                           te

           -       ACL (Access Control List) changes
                                         tu

           -       Registry edits
                                      sti

           -       Disabling services
                                   In

           The single greatest benefit these recommendations provide to the IT teams is reducing the time to
                               NS

           research solutions to these problems, which should equate to faster implementation. Naturally,
           depending upon the severity of the vulnerability, this will determine the extent of the time
                           SA

           required to resolve the deficiency. For example, High vulnerabilities must be resolved within 48
           hours, Medium vulnerabilities resolved within one week and Low vulnerabilities resolved within
                        ©

           one month.

           Forensics
           Forensics provides a wide umbrella for which many investigations can be covered. IS teams are
           routinely   asked during
               Key fingerprint      an investigation
                                = AF19   FA27 2F94 what
                                                     998Dhappened,
                                                          FDB5 DE3Dwhen it happened
                                                                      F8B5  06E4 A169and4E46
                                                                                          should it have
           happened. Conducting a forensics investigation without the benefit of log files normally results
           in failure.

           For example, law enforcement subpoenas the company for which user(s) surfed on a particular

                                          Eric_Hansen_GSEC_Practical
© SANS Institute 2000 - 2005                                                                    Author retains3full rights.
Eric Hansen
                                                                                       GSEC_Practical_version 1.2F

           website. In this example, the company has an Internet filtering software product but logs the user
           by IP address. Additionally, the company has a client/server environment using DHCP. For the
           IS team to fulfill (after Corporate Counsel’s approval) the request within the subpoena, it will
           need to match the proxy logs and the DHCP logs together. To add to the complexity, the DHCP
           logs are maintained at each facility within the company’s organization but use one Internet access

                                                                                               s.
           point through the proxy server. Naturally, the first questions are: does the company retain the

                                                                                            ht
           proxy logs and for how long. If the period in question is covered, the next set of questions are:

                                                                                        rig
           does each individual site maintain the DHCP log and for how long; supplementing that question
           is what is the length of the reservation or lease for an IP address at each location. An added

                                                                                    ull
           function is to research whether successful or failed logon and logoff attempts are being logged for

                                                                                  f
           that particular user or computer. Another prime example is attempting to investigate strange

                                                                              ins
           behavior on a client without the benefit of complete logging information. Logging will normally
               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
           show if you have been “visited.”

                                                                          eta
                                                                       rr
           Therefore, SLAs pertaining to forensics may include:
           -      Proxy logs, firewall logs, server logs, syslogs, DHCP logs, client logs

                                                                    ho
           -      Length of time retained before being overwritten

                                                                 ut
           -      Threshold for moving the logs to a central logging server, portable media or off-site data
                  storage.
                                                               A
                                                            5,

           Change & Documentation Management
                                                         00

           In most situations, a well-run IT organization will normally equate to a well-managed data
                                                      -2

           security program. In addition to the IT teams having the appropriate skill sets, proper
           documentation of IT processes, equipment and resources must be keep current for a proper
                                                  00

           implementation of an IS program.
                                               20

           When conducting risk assessments, network scanning or responding to contingencies or
                                            te

           investigative requests, a properly documented network topology is necessary. While this may
                                         tu

           appear a reasonable request, networks are in a constant state of change. Changes to the
                                      sti

           documentation is slow due to the implementation of previous changes or forthcoming changes.
           An example of a SLA for the network topology is that each IT team must update the network
                                   In

           topology on a monthly basis.
                               NS

           A more detailed example is the anti-virus countermeasure program. User education and
                           SA

           investigations are conducted by the IS team, however, anti-virus software is administered by the
           IT teams. In this example, a company uses the TrendMicro family of products. The servers use
                        ©

           Server Protect, the Exchange environment uses Scanmail and the clients use Office Scan. These
           three products may appear as only one application, however, each has its own peculiarities to be
           understood. Comparing and contrasting the three applications are as follows.

           Common    documentation
               Key fingerprint = AF19elements  are which
                                        FA27 2F94   998D network  resource
                                                          FDB5 DE3D         has06E4
                                                                         F8B5   which   application,
                                                                                      A169  4E46 interval of
           system scanning, and what to do with infected files (move it, delete it, quarantine it). The
           OfficeScan product should have how the console managers are configured; ability for users to
           disable/enable the product; how pattern files are updated, i.e. on-the-fly, SMS, or through a logon
           script. Are special considerations are made for dial-up users as they may have to force a

                                           Eric_Hansen_GSEC_Practical
© SANS Institute 2000 - 2005                                                                     Author retains4full rights.
Eric Hansen
                                                                                           GSEC_Practical_version 1.2F

           “manual” update of the pattern files. The ScanMail product has the option of stripping specific
           file types (.exe, .com, .vbs, .scr, .bat) prior to the user receiving it. ServerProtect may be installed
           on servers not necessarily connected to the network but still needing anti-virus support.

           SLA elements may include designating critical applications that should have their documentation

                                                                                                   s.
           reviewed on a more frequent basis than others. For instance, the anti-virus documentation may

                                                                                                ht
           need updating every quarter while the ERP access roles need semi-annual review.

                                                                                            rig
           Elements to address when compiling SLAs for the Change/Documentation Management area

                                                                                        ull
           may include:

                                                                                      f
           - changes in configurations

                                                                                  ins
           - network infrastructure changes
               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
           - API changes

                                                                              eta
           - log of system failures and respective problem resolution

                                                                          rr
           - frequency of documentation review
           - detailed project description

                                                                       ho
           - responsible individuals for each document

                                                                    ut
           - written service and maintenance agreements
                                                                  A
           Data Back-ups
                                                               5,

           Data back-ups are the cornerstone to a strong IS program. After all is said and done, data back-
                                                           00

           ups still allow a company to recover its business either fully or from some established baseline.
                                                        -2

           At one company, a financial database back-up was disabled to allow a back-up on the tape library
           in favor of a pre-production server that was testing a new software release component for the
                                                    00

           production ERP application. The failure of this individual to notify the process owner that this
                                                 20

           occurred adversely affected the company. Mr. Murphy visited this company in the form of a
           crashed and a corrupted database. Since the database had not been backed-up for nearly three
                                              te

           months, a tremendous amount of unproductive labor went into recreating that data. Most
                                           tu

           companies have already experienced problems when attempting to restore a backed-up
                                        sti

           application and finding out that the tape was corrupted, contained no data, only contained a
           partial back-up or was infected with viruses/malicious software.
                                     In
                                NS

           Some elements to determine when creating SLAs within the topic may include:
           -     Conceptual back-up documentation
                            SA

           -     Verification that the data on back-up is valid
           -     Documentation of which server/applications are backed-up and the respective schedule
                         ©

           -     Validation of restore through a regularly scheduled check
           -     Designation of an off-site storage location and the pick-up/drop-off schedule
           -     Designation of which back-ups contain company confidential or proprietary information
           -     Explanation of the labeling scheme used by the IT teams to track back-ups
           - KeyDocumentation     on how
                  fingerprint = AF19   FA27to2F94
                                             conduct
                                                  998Dback-ups  and theF8B5
                                                         FDB5 DE3D      restoration of back-ups
                                                                             06E4 A169    4E46
           -     Anti-virus check prior to backing up

                                             Eric_Hansen_GSEC_Practical
© SANS Institute 2000 - 2005                                                                         Author retains5full rights.
Eric Hansen
                                                                                    GSEC_Practical_version 1.2F

           Conclusion
           The establishment of IS SLAs between the IT teams and the IS teams is necessary to assure the
           enterprise that proactive measures are implemented. This provides the IT teams with reasonable
           expectations and provides the IS teams with a definitive spot in the queue, other than last.

                                                                                            s.
                                                                                         ht
                                                                                     rig
                                                                                full
                                                                            ins
               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

                                                                        eta
                                                                     rr
                                                                  ho
                                                             A ut
                                                          5,
                                                       00
                                                    -2
                                                00
                                             20
                                           te
                                        tu
                                     sti
                                  In
                               NS
                           SA
                        ©

               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

                                          Eric_Hansen_GSEC_Practical
© SANS Institute 2000 - 2005                                                                  Author retains6full rights.
Eric Hansen
                                                                                    GSEC_Practical_version 1.2F

           List of References

           Andress, Mandy. “Internal SLAs Benefit the Entire Company.” Infoworld. April 27, 2001 URL:
           http://www.infoworld.com/articles/tc/xml/01/04/30/010430tcintersla.xml (December 1, 2001)

                                                                                            s.
           Bernard, Allen. “The SLAs They Are A’Changin.” ASPnews.com. July 27, 2001 URL:

                                                                                         ht
           http://www.aspnews.com/trends/article/0,2350,9921_792841,00.html (December 1, 2001)

                                                                                     rig
           Bolding, Jeb. “SLAs: Do They Hit the Mark?” Network World ASP Newsletter. July 16, 2001

                                                                                 ull
           URL: http://www.nwfusion.com/newsletters/asp/2001/00915560.html (December 1, 2001)

                                                                                f
                                                                            ins
           Cope, James. “12 Ways to a Better SLA.” COMPUTERWORLD. November 12, 2001 URL:
               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
           http://www.computerworld.com/storyba/0,4125,NAV47_STO65569,00.html (December 1, 2001)

                                                                        eta
                                                                     rr
           Koch, Christopher. “Put It In Writing.” CIO Magazine, November 15, 1998. URL:
           http://www.cio.com/archive/111598/sla.html (December 1, 2001)

                                                                  ho
                                                               ut
           Lacerda, Cecinio Silva. “Service Level Agreement.” www.whatis.com August 6, 2001 URL:
           http://whatis.techtarget.com/definition/0,289893,sid9_gci213586,00.html (December 1, 2001)
                                                             A
                                                          5,

           McAnally, Pat. “ERP and Business Continuity: What the Experts Won’t Tell You.”
                                                       00

           www.disaster-resource.com
                                                    -2

           URL:http://www.disaster-resource.com/cgi-bin/article_search.cgi?id='21 (December 1, 2001)
                                                00

           Scalet, Sarah D. “Here Come the Lawyers.” CIO Magazine, November 8, 2001. URL:
                                              20

           http://www.cio.com/security/edit/a110801_legal.html (December 1, 2001)
                                           te

           Schroeder, Max. “A SLA Primer, Allen’s Law: Almost anything is easier to get into, than get out
                                        tu

           of.” Computer Telephony, March 5, 2001
                                     sti

           URL: http://www.cconvergence.com/article/CTM20010216S0002 (December 1, 2001)
                                  In

           Wrobel, Leo A. “Components of a Successful LAN Disaster Recovery Plan.” www.disaster-
                                NS

           resource.com
           URL: http://www.disaster-resource.com/cgi-bin/article_search.cgi?id='95' (December 1, 2001)
                           SA

           Internet Security Systems – Internet Scanner Help Index – Version 6.1 www.iss.net
                        ©

           TrendMicro – OfficeScan, Server Protect and ScanMail product descriptions
           http://www.antivirus.com/products

               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

                                          Eric_Hansen_GSEC_Practical
© SANS Institute 2000 - 2005                                                                  Author retains7full rights.
Last Updated: February 12th, 2021

      Upcoming Training

SANS Secure Japan 2021                        Virtual - Japan Standard Feb 22, 2021 - Mar 13, 2021     CyberCon
                                              Time, Japan
SANS Scottsdale: Virtual Edition 2021         ,                        Feb 22, 2021 - Feb 27, 2021     CyberCon
                                              Virtual - Greenwich
SANS London February 2021                     Mean Time, United        Feb 22, 2021 - Feb 27, 2021     CyberCon
                                              Kingdom
SANS Cyber Security East: March 2021          ,                          Mar 01, 2021 - Mar 06, 2021   CyberCon
                                              Virtual - Singapore
SANS Secure Asia Pacific 2021                 Standard Time,             Mar 08, 2021 - Mar 20, 2021   CyberCon
                                              Singapore
SANS Secure Asia Pacific 2021                 Singapore, Singapore       Mar 08, 2021 - Mar 20, 2021   Live Event

SANS Cyber Security West: March 2021          ,                       Mar 15, 2021 - Mar 20, 2021      CyberCon
                                              Virtual - Gulf Standard
SANS Riyadh March 2021                        Time, Kingdom Of Saudi Mar 20, 2021 - Apr 01, 2021       CyberCon
                                              Arabia
SANS 2021                                     ,                          Mar 22, 2021 - Mar 27, 2021   CyberCon

SANS Secure Australia 2021                    Canberra, Australia        Mar 22, 2021 - Mar 27, 2021   Live Event
                                              Virtual - Central
SANS Munich March 2021                        European Time,             Mar 22, 2021 - Mar 27, 2021   CyberCon
                                              Germany
                                              Virtual - Australian
SANS Secure Australia 2021 Live Online        Eastern Daylight Time,     Mar 22, 2021 - Mar 27, 2021   CyberCon
                                              Australia
SANS Cyber Security Mountain: April 2021      ,                          Apr 05, 2021 - Apr 10, 2021   CyberCon

SANS London April 2021                        Virtual - British Summer   Apr 12, 2021 - Apr 17, 2021   CyberCon
                                              Time, United Kingdom
SANS Autumn Australia 2021                    Sydney, Australia          Apr 12, 2021 - Apr 17, 2021   Live Event
                                              Virtual - Australian
SANS Autumn Australia 2021 - Live Online      Eastern Standard Time,     Apr 12, 2021 - Apr 17, 2021   CyberCon
                                              Australia
                                              Virtual - Central
SANS SEC401 (In Spanish) April 2021           European Summer Time,      Apr 12, 2021 - Apr 23, 2021   CyberCon
                                              Spain
SANS Cyber Security East: April 2021          ,                          Apr 12, 2021 - Apr 17, 2021   CyberCon

SANS Secure India 2021                        Virtual - India Standard   Apr 19, 2021 - Apr 24, 2021   CyberCon
                                              Time, India
SANS Baltimore Spring: Virtual Edition 2021   ,                          Apr 26, 2021 - May 01, 2021   CyberCon

SANS Cyber Security Central: May 2021         ,                          May 03, 2021 - May 08, 2021   CyberCon

SANS Security West 2021                       ,                     May 10, 2021 - May 15, 2021        CyberCon
                                              Virtual - Central
SANS Amsterdam May 2021                       European Summer Time, May 17, 2021 - May 22, 2021        CyberCon
                                              Netherlands
SANS Cyber Security East: May 2021            ,                     May 17, 2021 - May 22, 2021        CyberCon
                                              Virtual - Central
SANS Stockholm May 2021                       European Summer Time, May 31, 2021 - Jun 05, 2021        CyberCon
                                              Sweden
                                              Virtual - Central
SANS In French May 2021                       European Summer Time, May 31, 2021 - Jun 05, 2021        CyberCon
                                              France
SANS Cyber Security Central: June 2021        ,                          Jun 07, 2021 - Jun 12, 2021   CyberCon
                                              Virtual - Central
SANS Paris June 2021                          European Summer Time,      Jun 14, 2021 - Jun 19, 2021   CyberCon
                                              France
You can also read